Essential Eight Maturity Model
Essential EightMaturity ModelFirst published: June 2017Last updated:October 2021IntroductionThe Australian Cyber Security Centre (ACSC) has developed prioritised mitigation strategies, in the form of theStrategies to Mitigate Cyber Security Incidents, to help organisations protect themselves against various cyberthreats. The most effective of these mitigation strategies are the Essential Eight.The Essential Eight are designed to protect Microsoft Windows-based internet-connected networks. While the EssentialEight may be applied to cloud services and enterprise mobility, or other operating systems, it was not primarilydesigned for such purposes and alternative mitigation strategies may be more appropriate to mitigate unique cyberthreats to these environments. In such cases, organisations should consider alternative guidance provided by the ACSC.The Essential Eight Maturity Model, first published in June 2017 and updated regularly, supports the implementationof the Essential Eight. It is based on the ACSC’s experience in producing cyber threat intelligence, responding to cybersecurity incidents, conducting penetration testing and assisting organisations to implement the Essential Eight.ImplementationWhen implementing the Essential Eight, organisations should identify and plan for a target maturity level suitable fortheir environment. Organisations should then progressively implement each maturity level until that target is achieved.As the mitigation strategies that constitute the Essential Eight have been designed to complement each other, and toprovide coverage of various cyber threats, organisations should plan their implementation to achieve the samematurity level across all eight mitigation strategies before moving onto higher maturity levels.Organisations should implement the Essential Eight using a risk-based approach. In doing so, organisations should seekto minimise any exceptions and their scope, for example, by implementing compensating security controls and ensuringthe number of systems or users impacted are minimised. In addition, any exceptions should be documented andapproved through an appropriate process. Subsequently, the need for any exceptions, and associated compensatingsecurity controls, should be monitored and reviewed on a regular basis. Note, the appropriate use of exceptions shouldnot preclude an organisation from being assessed as meeting the requirements for a given maturity level.As the Essential Eight outlines a minimum set of preventative measures, organisations need to implement additionalmeasures to those within this maturity model where it is warranted by their environment. Further, while the EssentialEight can help to mitigate the majority of cyber threats, it will not mitigate all cyber threats. As such, additionalmitigation strategies and security controls need to be considered, including those from the Strategies to MitigateCyber Security Incidents and the Information Security Manual.Finally, there is no requirement for organisations to have their Essential Eight implementation certified by anindependent party. However, Essential Eight implementations may need to be assessed by an independent party ifrequired by a government directive or policy, by a regulatory authority, or as part of contractual arrangements.1
Maturity levelsTo assist organisations with their implementation of the Essential Eight, four maturity levels have been defined(Maturity Level Zero through to Maturity Level Three). With the exception of Maturity Level Zero, the maturity levelsare based on mitigating increasing levels of adversary tradecraft (i.e. tools, tactics, techniques and procedures) andtargeting, which are discussed in more detail below. Depending on an adversary’s overall capability, they may exhibitdifferent levels of tradecraft for different operations against different targets. For example, an adversary capable ofadvanced tradecraft may use it against one target while using basic tradecraft against another. As such, organisationsshould consider what level of tradecraft and targeting, rather than which adversaries, they are aiming to mitigate.Organisations need to consider that the likelihood of being targeted is influenced by their desirability to adversaries,and the consequences of a cyber security incident will depend on their requirement for the confidentiality of their data,as well as their requirement for the availability and integrity of their systems and data. This, in combination with thedescriptions for each maturity level, can be used to help determine a target maturity level to implement.Finally, Maturity Level Three will not stop adversaries that are willing and able to invest enough time, money and effortto compromise a target. As such, organisations still need to consider the remainder of the mitigation strategies fromthe Strategies to Mitigate Cyber Security Incidents and the Information Security Manual.Maturity Level ZeroThis maturity level signifies that there are weaknesses in an organisation’s overall cyber security posture. Whenexploited, these weaknesses could facilitate the compromise of the confidentiality of their data, or the integrity oravailability of their systems and data, as described by the tradecraft and targeting in Maturity Level One below.Maturity Level OneThe focus of this maturity level is adversaries who are content to simply leverage commodity tradecraft that is widelyavailable in order to gain access to, and likely control of, systems. For example, adversaries opportunistically using apublicly-available exploit for a security vulnerability in an internet-facing service which had not been patched, orauthenticating to an internet-facing service using credentials that were stolen, reused, brute forced or guessed.Generally, adversaries are looking for any victim rather than a specific victim and will opportunistically seek commonweaknesses in many targets rather than investing heavily in gaining access to a specific target. Adversaries will employcommon social engineering techniques to trick users into weakening the security of a system and launch maliciousapplications, for example via Microsoft Office macros. If the account that an adversary compromises has specialprivileges they will seek to exploit it. Depending on their intent, adversaries may also destroy data (including backups).Maturity Level TwoThe focus of this maturity level is adversaries operating with a modest step-up in capability from the previous maturitylevel. These adversaries are willing to invest more time in a target and, perhaps more importantly, in the effectivenessof their tools. For example, these adversaries will likely employ well-known tradecraft in order to better attempt tobypass security controls implemented by a target and evade detection. This includes actively targeting credentials usingphishing and employing technical and social engineering techniques to circumvent weak multi-factor authentication.Generally, adversaries are likely to be more selective in their targeting but still somewhat conservative in the time,money and effort they may invest in a target. Adversaries will likely invest time to ensure their phishing is effective andemploy common social engineering techniques to trick users to weaken the security of a system and launch maliciousapplications, for example via Microsoft Office macros. If the account that an adversary compromises has specialprivileges they will seek to exploit it, otherwise they will seek accounts with special privileges. Depending on theirintent, adversaries may also destroy all data (including backups) accessible to an account with special privileges.2
Maturity Level ThreeThe focus of this maturity level is adversaries who are more adaptive and much less reliant on public tools andtechniques. These adversaries are able to exploit the opportunities provided by weaknesses in their target’s cybersecurity posture, such as the existence of older software or inadequate logging and monitoring. Adversaries do this tonot only extend their access once initial access has been gained to a target, but to evade detection and solidify theirpresence. Adversaries make swift use of exploits when they become publicly available as well as other tradecraft thatcan improve their chance of success.Generally, adversaries may be more focused on particular targets and, more importantly, are willing and able to investsome effort into circumventing the idiosyncrasies and particular policy and technical security controls implemented bytheir targets. For example, this includes social engineering a user to not only open a document but also to unknowinglyassist in bypassing security controls. This can also include circumventing stronger multi-factor authentication by stealingauthentication token values to impersonate a user. Once a foothold is gained on a system, adversaries will seek to gainprivileged credentials or password hashes, pivot to other parts of a network, and cover their tracks. Depending on theirintent, adversaries may also destroy all data (including backups).Requirements for each maturity levelRequirements for Maturity Level One through to Maturity Level Three are outlined in Appendices A to C. A comparisonof the maturity levels, with changes between maturity levels indicated via bolded text, is outlined in Appendix D.Further informationThe Essential Eight Maturity Model is part of a suite of related publications: Answers to questions about this maturity model are available in the Essential Eight Maturity Model FAQpublication. Additional mitigation strategies are available in the Strategies to Mitigate Cyber Security Incidents publication. Further information on additional mitigation strategies is available in the Strategies to Mitigate Cyber SecurityIncidents – Mitigation Details publication. Further Information on implementing application control is available in the Implementing Application Controlpublication. Further Information on patching is available in the Assessing Security Vulnerabilities and Applying Patchespublication. Further Information on controlling Microsoft Office macros is available in the Microsoft Office Macro Securitypublication. Further Information on controlling privileged accounts is available in the Restricting Administrator Privilegespublication. Further Information on implementing multi-factor authentication is available in the Implementing Multi-FactorAuthentication publication.Contact detailsIf you have any questions regarding this guidance you can write to us or call us on 1300 CYBER1 (1300 292 371).3
Appendix A: Maturity Level OneMitigation StrategyDescriptionApplication controlThe execution of executables, software libraries, scripts, installers, compiled HTML, HTMLapplications and control panel applets is prevented on workstations from within standarduser profiles and temporary folders used by the operating system, web browsers andemail clients.Patch applicationsPatches, updates or vendor mitigations for security vulnerabilities in internet-facingservices are applied within two weeks of release, or within 48 hours if an exploit exists.Patches, updates or vendor mitigations for security vulnerabilities in office productivitysuites, web browsers and their extensions, email clients, PDF software, and securityproducts are applied within one month of release.A vulnerability scanner is used at least daily to identify missing patches or updates forsecurity vulnerabilities in internet-facing services.A vulnerability scanner is used at least fortnightly to identify missing patches or updatesfor security vulnerabilities in office productivity suites, web browsers and their extensions,email clients, PDF software, and security products.Internet-facing services, office productivity suites, web browsers and their extensions,email clients, PDF software, Adobe Flash Player, and security products that are no longersupported by vendors are removed.Configure MicrosoftOffice macro settingsMicrosoft Office macros are disabled for users that do not have a demonstrated businessrequirement.Microsoft Office macros in files originating from the internet are blocked.Microsoft Office macro antivirus scanning is enabled.Microsoft Office macro security settings cannot be changed by users.User applicationhardeningWeb browsers do not process Java from the internet.Web browsers do not process web advertisements from the internet.Internet Explorer 11 does not process content from the internet.Web browser security settings cannot be changed by users.4
Restrict administrativeprivilegesRequests for privileged access to systems and applications are validated when firstrequested.Privileged accounts (excluding privileged service accounts) are prevented from accessingthe internet, email and web services.Privileged users use separate privileged and unprivileged operating environments.Unprivileged accounts cannot logon to privileged operating environments.Privileged accounts (excluding local administrator accounts) cannot logon to unprivilegedoperating environments.Patch operatingsystemsPatches, updates or vendor mitigations for security vulnerabilities in operating systems ofinternet-facing services are applied within two weeks of release, or within 48 hours if anexploit exists.Patches, updates or vendor mitigations for security vulnerabilities in operating systems ofworkstations, servers and network devices are applied within one month of release.A vulnerability scanner is used at least daily to identify missing patches or updates forsecurity vulnerabilities in operating systems of internet-facing services.A vulnerability scanner is used at least fortnightly to identify missing patches or updatesfor security vulnerabilities in operating systems of workstations, servers and networkdevices.Operating systems that are no longer supported by vendors are replaced.Multi-factorauthenticationMulti-factor authentication is used by an organisation's users if they authenticate to theirorganisation’s internet-facing services.Multi-factor authentication is used by an organisation’s users if they authenticate to thirdparty internet-facing services that process, store or communicate their organisation'ssensitive data.Multi-factor authentication (where available) is used by an organisation’s users if theyauthenticate to third-party internet-facing services that process, store or communicatetheir organisation's non-sensitive data.Multi-factor authentication is enabled by default for non-organisational users (but userscan choose to opt out) if they authenticate to an organisation’s internet-facing services.Regular backupsBackups of important data, software and configuration settings are performed andretained in a coordinated and resilient manner in accordance with business continuityrequirements.Restoration of systems, software and important data from backups is tested in acoordinated manner as part of disaster recovery exercises.Unprivileged accounts can only access their own backups.Unprivileged accounts are prevented from modifying or deleting backups.5
Appendix B: Maturity Level TwoMitigation StrategyDescriptionApplication controlApplication control is implemented on workstations and internet-facing servers to restrict theexecution of executables, software libraries, scripts, installers, compiled HTML, HTMLapplications and control panel applets to an organisation-approved set.Allowed and blocked executions on workstations and internet-facing servers are logged.Patch applicationsPatches, updates or vendor mitigations for security vulnerabilities in internet-facing servicesare applied within two weeks of release, or within 48 hours if an exploit exists.Patches, updates or vendor mitigations for security vulnerabilities in office productivity suites,web browsers and their extensions, email clients, PDF software, and security products areapplied within two weeks of release.Patches, updates or vendor mitigations for security vulnerabilities in other applications areapplied within one month of release.A vulnerability scanner is used at least daily to identify missing patches or updates for securityvulnerabilities in internet-facing services.A vulnerability scanner is used at least weekly to identify missing patches or updates forsecurity vulnerabilities in office productivity suites, web browsers and their extensions, emailclients, PDF software, and security products.A vulnerability scanner is used at least fortnightly to identify missing patches or updates forsecurity vulnerabilities in other applications.Internet-facing services, office productivity suites, web browsers and their extensions, emailclients, PDF software, Adobe Flash Player, and security products that are no longer supportedby vendors are removed.ConfigureMicrosoft Officemacro settingsMicrosoft Office macros are disabled for users that do not have a demonstrated businessrequirement.Microsoft Office macros in files originating from the internet are blocked.Microsoft Office macro antivirus scanning is enabled.Microsoft Office macros are blocked from making Win32 API calls.Microsoft Office macro security settings cannot be changed by users.Allowed and blocked Microsoft Office macro executions are logged.6
User applicationhardeningWeb browsers do not process Java from the internet.Web browsers do not process web advertisements from the internet.Internet Explorer 11 does not process content from the internet.Microsoft Office is blocked from creating child processes.Microsoft Office is blocked from creating executable content.Microsoft Office is blocked from injecting code into other processes.Microsoft Office is configured to prevent activation of OLE packages.PDF software is blocked from creating child processes.ACSC or vendor hardening guidance for web browsers, Microsoft Office and PDF software isimplemented.Web browser, Microsoft Office and PDF software security settings cannot be changed byusers.Blocked PowerShell script executions are logged.RestrictadministrativeprivilegesRequests for privileged access to systems and applications are validated when first requested.Privileged access to systems and applications is automatically disabled after 12 months unlessrevalidated.Privileged access to systems and applications is automatically disabled after 45 days ofinactivity.Privileged accounts (excluding privileged service accounts) are prevented from accessing theinternet, email and web services.Privileged users use separate privileged and unprivileged operating environments.Privileged operating environments are not virtualised within unprivileged operatingenvironments.Unprivileged accounts cannot logon to privileged operating environments.Privileged accounts (excluding local administrator accounts) cannot logon to unprivilegedoperating environments.Administrative activities are conducted through jump servers.Credentials for local administrator accounts and service accounts are unique, unpredictableand managed.Use of privileged access is logged.Changes to privileged accounts and groups are logged.7
Patch operatingsystemsPatches, updates or vendor mitigations for security vulnerabilities in operating systems ofinternet-facing services are applied within two weeks of release, or within 48 hours if anexploit exists.Patches, updates or vendor mitigations for security vulnerabilities in operating systems ofworkstations, servers and network devices are applied within two weeks of release.A vulnerability scanner is used at least daily to identify missing patches or updates for securityvulnerabilities in operating systems of internet-facing services.A vulnerability scanner is used at least weekly to identify missing patches or updates forsecurity vulnerabilities in operating systems of workstations, servers and network devices.Operating systems that are no longer supported by vendors are replaced.Multi-factorauthenticationMulti-factor authentication is used by an organisation's users if they authenticate to theirorganisation’s internet-facing services.Multi-factor authentication is used by an organisation’s users if they authenticate to thirdparty internet-facing services that process, store or communicate their organisation'ssensitive data.Multi-factor authentication (where available) is used by an organisation’s users if theyauthenticate to third-party internet-facing services that process, store or communicate theirorganisation's non-sensitive data.Multi-factor authentication is enabled by default for non-organisational users (but users canchoose to opt out) if they authenticate to an organisation’s internet-facing services.Multi-factor authentication is used to authenticate privileged users of systems.Multi-factor authentication uses either: something users have and something users know, orsomething users have that is unlocked by something users know or are.Successful and unsuccessful multi-factor authentications are logged.Regular backupsBackups of important data, software and configuration settings are performed and retained ina coordinated and resilient manner in accordance with business continuity requirements.Restoration of systems, software and important data from backups is tested in a coordinatedmanner as part of disaster recovery exercises.Unprivileged accounts, and privileged accounts (excluding backup administrators), can onlyaccess their own backups.Unprivileged accounts, and privileged accounts (excluding backup administrators), areprevented from modifying or deleting backups.8
Appendix C: Maturity Level ThreeMitigation StrategyDescriptionApplication controlApplication control is implemented on workstations and servers to restrict the execution ofexecutables, software libraries, scripts, installers, compiled HTML, HTML applications, controlpanel applets and drivers to an organisation-approved set.Microsoft’s ‘recommended block rules’ are implemented.Microsoft’s ‘recommended driver block rules’ are implemented.Application control rulesets are validated on an annual or more frequent basis.Allowed and blocked executions on workstations and servers are centrally logged andprotected from unauthorised modification and deletion, monitored for signs of compromise,and actioned when cyber security events are detected.Patch applicationsPatches, updates or vendor mitigations for security vulnerabilities in internet-facing servicesare applied within two weeks of release, or within 48 hours if an exploit exists.Patches, updates or vendor mitigations for security vulnerabilities in office productivity suites,web browsers and their extensions, email clients, PDF software, and security products areapplied within two weeks of release, or within 48 hours if an exploit exists.Patches, updates or vendor mitigations for security vulnerabilities in other applications areapplied within one month of release.A vulnerability scanner is used at least daily to identify missing patches or updates for securityvulnerabilities in internet-facing services.A vulnerability scanner is used at least weekly to identify missing patches or updates forsecurity vulnerabilities in office productivity suites, web browsers and their extensions, emailclients, PDF software, and security products.A vulnerability scanner is used at least fortnightly to identify missing patches or updates forsecurity vulnerabilities in other applications.Applications that are no longer supported by vendors are removed.9
ConfigureMicrosoft Officemacro settingsMicrosoft Office macros are disabled for users that do not have a demonstrated businessrequirement.Only Microsoft Office macros running from within a sandboxed environment, a TrustedLocation or that are digitally signed by a trusted publisher are allowed to execute.Only privileged users responsible for validating that Microsoft Office macros are free ofmalicious code can write to and modify content within Trusted Locations.Microsoft Office macros digitally signed by an untrusted publisher cannot be enabled via theMessage Bar or Backstage View.Microsoft Office’s list of trusted publishers is validated on an annual or more frequent basis.Microsoft Office macros in files originating from the internet are blocked.Microsoft Office macro antivirus scanning is enabled.Microsoft Office macros are blocked from making Win32 API calls.Microsoft Office macro security settings cannot be changed by users.Allowed and blocked Microsoft Office macro executions are centrally logged and protectedfrom unauthorised modification and deletion, monitored for signs of compromise, andactioned when cyber security events are detected.User applicationhardeningWeb browsers do not process Java from the internet.Web browsers do not process web advertisements from the internet.Internet Explorer 11 is disabled or removed.Microsoft Office is blocked from creating child processes.Microsoft Office is blocked from creating executable content.Microsoft Office is blocked from injecting code into other processes.Microsoft Office is configured to prevent activation of OLE packages.PDF software is blocked from creating child processes.ACSC or vendor hardening guidance for web browsers, Microsoft Office and PDF software isimplemented.Web browser, Microsoft Office and PDF software security settings cannot be changed byusers.NET Framework 3.5 (includes .NET 2.0 and 3.0) is disabled or removed.Windows PowerShell 2.0 is disabled or removed.PowerShell is configured to use Constrained Language Mode.Blocked PowerShell script executions are centrally logged and protected from unauthorisedmodification and deletion, monitored for signs of compromise, and actioned when cybersecurity events are detected.10
RestrictadministrativeprivilegesRequests for privileged access to systems and applications are validated when first requested.Privileged access to systems and applications is automatically disabled after 12 months unlessrevalidated.Privileged access to systems and applications is automatically disabled after 45 days ofinactivity.Privileged access to systems and applications is limited to only what is required for users andservices to undertake their duties.Privileged accounts are prevented from accessing the internet, email and web services.Privileged users use separate privileged and unprivileged operating environments.Privileged operating environments are not virtualised within unprivileged operatingenvironments.Unprivileged accounts cannot logon to privileged operating environments.Privileged accounts (excluding local administrator accounts) cannot logon to unprivilegedoperating environments.Just-in-time administration is used for administering systems and applications.Administrative activities are conducted through jump servers.Credentials for local administrator accounts and service accounts are unique, unpredictableand managed.Windows Defender Credential Guard and Windows Defender Remote Credential Guard areenabled.Use of privileged access is centrally logged and protected from unauthorised modification anddeletion, monitored for signs of compromise, and actioned when cyber security events aredetected.Changes to privileged accounts and groups are centrally logged and protected fromunauthorised modification and deletion, monitored for signs of compromise, and actionedwhen cyber security events are detected.11
Patch operatingsystemsPatches, updates or vendor mitigations for security vulnerabilities in operating systems ofinternet-facing services are applied within two weeks of release, or within 48 hours if anexploit exists.Patches, updates or vendor mitigations for security vulnerabilities in operating systems ofworkstations, servers and network devices are applied within two weeks of release, or within48 hours if an exploit exists.A vulnerability scanner is used at least daily to identify missing patches or updates for securityvulnerabilities in operating systems of internet-facing services.A vulnerability scanner is used at least weekly to identify missing patches or updates forsecurity vulnerabilities in operating systems of workstations, servers and network devices.The latest release, or the previous release, of operating systems are used for workstations,servers and network devices.Operating systems that are no longer supported by vendors are replaced.Multi-factorauthenticationMulti-factor authentication is used by an organisation's users if they authenticate to theirorganisation’s internet-facing services.Multi-factor authentication is used by an organisation’s users if they authenticate to thirdparty internet-facing services that process, store or communicate their organisation'ssensitive data.Multi-factor authentication (where available) is used by an organisation’s users if theyauthenticate to third-party internet-facing services that process, store or communicate theirorganisation's non-sensitive data.Multi-factor authentication is enabled by default for non-organisational users (but users canchoose to opt out) if they authenticate to an organisation’s internet-facing services.Multi-factor authentication is used to authenticate privileged users of systems.Multi-factor authentication is used to authenticate users accessing important datarepositories.Multi-factor authentication is verifier impersonation resistant and uses either: somethingusers have and something users know, or something users have that is unlocked by somethingusers know or are.Successful and unsuccessful multi-factor authentications are centrally logged and protectedfrom unauthorised modification and deletion, monitored for signs of compromise, andactioned when cyber security events are detected.12
Regular backupsBackups of important data, software and configuration settings are performed and retained ina coordinated and resilient manner in accordance with business continuity requirements.Restoration of systems, software and important data from backups is tested in a coordinatedmanner as part of disaster recovery exercises.Unprivileged accounts,
The Essential Eight are designed to protect Microsoft Windows-based internet-connected networks. While the Essential Eight may be applied to cloud services and enterprise mobility, or other operating systems, it was not primarily . The Essential Eight Maturity Model, first published in June 2017 and updated regularly, supports the implementation
Fig. 3. Capgemini's DevOps Maturity Model [11] 2.4 Hewlett Packard Enterprise DevOps Maturity Model Inbar et al. [10] from Hewlett Packard Enterprise (HPE), developed a new maturity model that is aligned with the CMMI maturity model to measure DevOps adoption. This model is designed to cover the entire lifecycle of an
3rd International Conference on Leadership, . Davies, 2004 and others) and institutions (PMI-OPM3, SEI-CMMI-PPMMM Gartner, OGC, P3M3 and other) addressed the topic of maturity in project management and have developed models for evaluating the maturity of . (2010) distinguished between two types of maturity, maturity of the PMO and maturity .
Within the software industry, maturity is frequently related to the Capability Maturity Model (CMM) and the CMM successor, the Capability Maturity Model Integration (CMMI). The Cloud Maturity Model parallels this understanding and measures Cloud capability
The cloud maturity model is a multidimensional approach to how you can identify concrete development targets for your cloud transition. The cloud maturity model includes the notion that people and processes are as important as technology in cloud maturity. We now introduce the Cloud Maturity Model
The Prosci Change Management Maturity Model . info@tpsoc.eu 7 www.tpsoc.eu and Prosci Maturity Model Audit give you the insights you need to assess your organization's change maturity level and map out a strategy for growing your change competency. By advancing your maturity level, you're focusing
Maturity Model is loosely based on the RM3i. The working group chose to modify that tool to expand its appeal to all federal agencies. This Federal RIM Program Maturity Model was created as a tool to measure the maturity of an agency RIM program. It can be used to measure the maturity of agency programs of any size and at any level.
Enhancing Advanced Use of CMMI-DEV with CMMI-SVC Process Areas for SoS 94 Multiple Paths to Service Maturity 97 Case 1: CMMI-DEV Maturity Level to CMMI-DEV Maturity Level 3 Adapted for Services, 2004–2007 98 Case 2: CMM-SW to CMMI-DEV and ISO 9001 99 Case 3: CMM-SW to CMMI-DEV Maturity Level 3 and Maturity
A Comprehensive Thermal Management System Model for Hybrid Electric Vehicles by Sungjin Park A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy (Mechanical Engineering) in The University of Michigan 2011 Doctoral Committee: Professor Dionissios N. Assanis, Co-Chair Assistant Professor Dohoy Jung, Co-Chair Professor Huei Peng Professor .
